DNS flaw reanimates slain evil sites as ghost domains
Life after death trick could be exploited by cyber-crooks
Analysis Cyber-crooks may be able to keep malicious domains operating for longer - even after they are revoked - by manipulating the web's Domain Name System (DNS).
A weakness in the cache update logic of many widely used DNS servers creates the potential to establish so-called ghost domains, according to a recent joint study by a team of researchers from universities in China and the US. These DNS servers are critical to the running of the internet: they convert human-readable domains into numeric addresses that networking kit can understand in order to route, say, page requests to the right websites.
In their paper Ghost Domain Names: Revoked Yet Still Resolvable, the researchers – Jian Jiang, Jinjin Liang, Kang Li, Jun Li, Haixin Duan and Jianping Wu – explain:
Attackers often use domain names for various malicious purposes such as phishing, botnet command and control, and malware propagation. An obvious strategy for preventing these activities is deleting the malicious domain from the upper level DNS servers.
In this paper, we show that this is insufficient. We demonstrate a vulnerability affecting the large majority of popular DNS implementations which allows a malicious domain name to stay resolvable long after it has been removed from the upper level servers.
Our experiments with 19,045 open DNS servers show that even one week after a domain name has been revoked and its TTL expired, more than 70 per cent of the servers will still resolve it.
The researchers found that DNS server implementations by BIND, Microsoft and OpenDNS are all potentially vulnerable. There's evidence that the vulnerability has been exploited, and the prevalence of the flaw make the possibility of attack far from theoretical.
"This vulnerability can potentially allow a botnet to continuously use malicious domains which have been identified and removed from the domain registry," the Sino-American team warns.
The academics suggest various approaches towards mitigating the problem. Independent experts in the field agree that ghost domains pose a risk but disagree about how much danger it poses or how difficult it might be to fix.
Jack Koziol, a director at the InfoSec Institute, a Chicago-based security biz, told El Reg that ghost domain DNS trickery might be used by cyber-crooks to keep malicious domains alive and resolvable for much longer, perhaps even indefinitely. He thinks the flaw will be tricky to correct.
Koziol reckons the ghost domain tactic will make life far easier for cyber-crooks while making it far harder to scrub the traces of malicious domains from the net.
"If you have a domain that is doing really bad stuff, serving up fake AV malware, phishing, etc, it can be deleted at the TLD level to get it off the internet," Koziol explained. "Malware authors that used the domain basically could do nothing about it, they would just move to a new domain (which could be very disruptive to serving malware or phishing pages, etc).
"Now, with this ghost domain exploit, malware authors can keep their domains alive indefinitely, because of the vulnerability described, deleting domains at the TLD level isn’t going to work any longer. It vastly complicates the effort behind getting bad domains off the internet."
Prateek Gianchandani, a security researcher at the institute, has published a detailed analysis of ghost domain problem, including screenshots of DNS lookups to illustrate the risk, here.
The InfoSec Institute hasn't seen the flaw exploited in anger as yet, but nonetheless considers it a serious risk. "We don't have documented proof yet, but have a few scripts running to watch for it," Koziol explained.
Cricket Liu, a DNS book author, expert and vice-president of architecture at DNS appliance firm Infoblox, agreed that ghost domains posed a potential threat, but said this issue was neither particularly severe nor hard to prevent.
"It is a threat, but I think it's worth pointing out that it's relatively simple to prevent," Liu explained. "By only restricting recursive queries to authorised clients with an ACL [Access Control List] (that is, not running an open recursive name server), you'd prevent malicious folks on the internet from refreshing their delegation."
"DNSSEC offers another layer of protection; zones that have been signed don't have this problem. (Of course, that's incentive for bad guys not to sign the zones they use for their malicious purposes.)"
The high-water mark of DNS security flaws was set by a widespread cache poisoning problem famously identified by security researcher Dan Kaminsky back in 2008. Liu reckons the ghost domain flaw is nowhere near as severe - not least because it doesn't involve a flaw in the DNS protocol itself, unlike the earlier Kaminsky mega-bug.
"This vulnerability and the Kaminsky vulnerability are very different," he explained. "This new one doesn't let you inject arbitrary data into a cache, it only lets you maintain some existing data in a cache; it is worth noting that the impact is minimal if the vulnerability is actually executed." ®